Unified Security Configuration and Vulnerability Management

One of the biggest problems with deploying multiple security solutions is bringing them together in a meaningful way. By combining data between solutions we can deliver higher level context that allows us to make more informed decisions about actions we can take to reduce risk in the environment. Security data without action is essentially useless.

This article outlines a method of inserting Tripwire IP360 scores into Tripwire Enterprise (TE). The first question I’m usually asked when discussing this is ‘Why?’. Why would you want to get vulnerability scores into TE?

The answer is that it provides context to the asset that we’re monitoring. In my previous article here I referenced this around using context to provide a level of dynamic monitoring. The more context you can provide to an asset the better. This allows far more efficiency within the solution as well slicing reports in a more useful manner.

This example integration takes the vulnerability score of an asset from Tripwire IP360 and converts it to ‘High’, ‘Medium’ or ‘Low’ and tags the equivalent asset within TE’s Asset View. Asset View has limitations on the number of tags that can be applied overall. The current limit is around 4000 but this can be raised or lowered with other settings.

However, I typically wouldn’t expect this to be a limit that anyone is going to approach any time soon. Given the (almost) infinite scores that IP360 can create, using them directly would be impossible and, probably, pointless.

The methods I used are not the only that can be performed, but I found this to be fairly easy to implement. You will need access to the following technology:

TECommander – Tripwire Enterprise SOAP CLI. Documentation is included in how to set this up. Please contact a Tripwire representative if you wish to have a copy.

Python 3.x – This will be our primary scripting language for integration

Text editor – For editing .py files

The method outlined here has 4 basic phases:

Export list of IPs from Tripwire Enterprise

Look up IPs found via IP360 API

Tag assets in TE Asset View

Automate the process

The implementation is simple and will all be run from a single Python script that will be run periodically. The majority of this article will cover off the key components of the Python script. So, let’s look at the various steps involved:

1. Obtaining our list of IP addresses from TE

The easiest method of doing this is to create a report in TE with a unique name and then use TECommander to export that report for use. You will need to set the following options on that report:

Create a new report of type ‘Device Inventory’ in a folder of choice. Ensure it has a unique name

On the ‘Criteria->General’ tab. Ensure that the ‘Display IP Addresses’ option is checked

On the ‘Nodes’ tab choose ‘Root Node Group->Smart Node Groups->System Tag Sets->Operating System’. We don’t want all the databases, directory servers in this instance as the vulnerability score will only be attached to the IP

Click ‘OK’ to save the report

Once this has been done then we can start our Python script and do all the fun work of actually extracting them. To allow us to make use of the command line we will need to use something like the below:

NOTE: There is a user name and password here. If you wish to obfuscate these then I would recommend creating global variables to store them both and pass them into your script. I’ll discuss how to do this later in the blog

Now we need to read the contents of the file into memory and start parsing the data to create a simple list of IPs and OIDs (an OID is a unique identifier for an asset within Tripwire Enterprise.)

You can use any method of accessing the information from this XML file, but I’ve always failed to get the XML searching working to my satisfaction (I’m new to the python scripting scene) so I’ve just made use of regex to pull what I need out of the data. It may not be the most efficient, but I know it works.

Firstly, create a couple of helper functions that we’ll make use of later (credit: Andrew Bowman @ Tripwire)

def get_object_info(vne, session_cookie, object_id):
"""retrieves info for an object instance given a reference to the object"""
result = vne.call(session_cookie, object_id, 'getAttributes', {});
return result

Again, there is a username and password in here. I’d recommend that you only pass that as a variable through a global variable in TE to make sure that no passwords are stored in plain text.

Now we need to do the following:

Find the latest vulnerability score for the asset in question

Assess that score and assign a High, Medium or Low ranking to it

Create a tagging string for that asset for use later

In the example below, I’m using Global Variables sent from TE to define my High, Medium and Low thresholds. You can see them as intMedium and intHigh. This is so that when all this is put together I only ever need to make changes within TE rather than alter the script.

I’m also creating an untag/tag command for each asset as well. I don’t want any asset to have multiple tags with regard to vulnerability. It can only be High, Medium OR Low.

NOTE: I am making use of class.Host above, not PersistentHost. There are many reasons behind this, but the principle one is that it is easier to process. The last scan result will hold the information I am interested in and it doesn’t really matter whether this has been through DHT or not. I’m also aware that TE tends to hold only the critical assets of the network so they do tend to be statically IP’d.

I’m also creating an output file (strOutputFile) and dumping the strOutput content into it. This is a list of tecommander commands that I can use in the next step to actually tag the asset in TE.

3. Tag assets in TE Asset View

Now the easy bit! Just call tecommander with the filename above (strOutputFile)

<path to tecommander.bin/sh> + ‘ @‘ + strOutputFile

4. Automate the process

To automate this process is fairly simple, but I would recommend that you think about the Global Variables in TE that you would like to send through to the script. In my instance I sent the following:

Path to tecommander

Medium Threshold of IP360 vulnerability score

High Threshold of IP360 vulnerability score

Tecommander username

Tecommander password

IP360 API URL

IP360 API username

IP360 API password

Then create a ‘Command Output Capture Rule’ (COCR) that contains the following as a command: